Implementing Storage Access Controls.

An Azure Storage Account: Is a core service in Microsoft Azure that offers secure, cloud-based storage for different types of data.

Azure Storage Access: This refers to the methods used to access data stored in an Azure Storage account. How you access Azure Storage depends on the type of data you’re working with such as blobs, files, or queues and the level of security and flexibility you require for that access.

In this tutorial, you’ll learn how to complete a few essential tasks for managing an Azure Storage account and its key components.

Let’s say your Azure admin wants you to get hands-on with storage accounts, containers, and file shares. As their organization plans to share more files, they need someone who’s confident using these services. Your goal is to set up a storage container and a file share, then upload files to both.

• First, you will have to Sign in to your Active Microsoft Azure Account on: https://portal.azure.com/

Step 1: Create a Storage Container

To get started, follow these steps to create your first storage container:

A. Navigate to your Azure Portal home page, on the search bar, search for Storage Accounts and click on it.

B. Select the storage account (storageacct1demo1) you created earlier while setting up your environment for this exercise. You can click the storage account name it’s a clickable link to open it. (Tip: Make sure it’s associated with the resource group RG1.)

C. In the storage account blade,

1. Go to the Data storage section
2. And select Containers.
3. Click on + Add Container
4. On the drop down, give your Container a name (new-container-demo)
5. Click on Create.

Step 2: Upload a Blob to the Storage Container
Now that you’ve created a storage container, you can upload a blob to it. Find an image file on your computer or download one from the internet and save it locally so it’s ready to upload.

To upload a file to the storage container:
A. Click on the Container (new-container-demo) you just created.

B. On the Created Container page,

1. Click on Upload
2. On Upload blob page, click Browse Files to add image file on your computer.
3. When the file is ready for upload, click on Upload.

BLOB SUCCESSFULLY UPLOADED

Step 3: Change the Access Tier
Once the file is uploaded, you will see its current access tier displayed. Since this file is just for testing, it doesn’t need to stay in the Hot access tier. In the next steps, you’ll update the file’s access tier to a more appropriate setting.

A. Click on the file you just uploaded.

B. On Uploaded File page, click on Change Tier.

C. On the Change Tier page,

1. Change the Access Tier to Cold.
2. Click on Save to save your change tire.

Step 4: Create a File Share
Now that you’ve uploaded a blob and changed its access tier from Hot to Cool, it’s time to move on to file shares. File shares make it easy to store and manage files that can be accessed by multiple users or services.

In this step, you’ll create a new file share within your storage account, which you can then use to upload and organize files.

A. Navigate to your Azure Portal home page, on the search bar, search for Storage Accounts and click on it.

B. Select the storage account (storageacct1demo1) you created earlier while setting up your environment for this exercise. You can click the storage account name it’s a clickable link to open it. (Tip: Make sure it’s associated with the resource group RG1.)

C. In the Storage account page,

1. Go to the Data storage section.
2. Select File shares.

D. Click on + File Share

E. On the Basics tab, give your File Share a name (file-share-demo) and then click on Next

F. On the uncheck Enable Backup because this just for a demo and learning exercise, you usually don’t need backup protection because you’re not storing important production data.

G. Click on the Review + Create and Click on Create after Validation passed.

H. After you File Share successfully, click on Upload.

I. On File Share page, click Browse Files to add image or file from your computer.
When the file is ready for upload, click on Upload.

UPLOADED SUCCESSFULLY INTO YOUR FILE SHARE.

Step 5:** Control Access with a Shared Access Signature (SAS) Token.**
The next step is to look at how to control access to the files you have uploaded. Azure provides several methods for managing file access, such as Role-Based Access Control (RBAC). In this scenario, the Azure administrator wants you to use a Shared Access Signature (SAS) token or storage keys to grant limited access.

Create a Shared Access Signature (SAS) Token

A. Navigate to the search bar on your Azure Portal home page, and search for Storage Accounts and click on it

B. Select the storage account (storageacct1demo1) you created earlier while setting up your environment for this exercise. You can click the storage account name it’s a clickable link to open it. (Tip: Make sure it’s associated with the resource group RG1.)

C. On Storage Account page,

1. Click on Storage Browser.
2. Expend the Blob Containers.
3. Select the storage account you created earlier (new-container-demo).

D. Select the More options (...) menu at the end of the line for the uploaded image.

E. Select Generate SAS.

F. On the Generate SAS. blade,

1. For Signing method, chose Account key: Simple and quick for demos; no extra setup needed.

2. Signing key, select Key 1: Default option; easy to rotate later if needed.

3. Stored access policy, select None: Fine for testing; settings are defined directly in the SAS.

4. For Permissions, select Read only: Safer; users can only view or download, not change or delete.

5. Enter your preferred custom start and expiry time or leave the defaults.

6. For the Allowed IP addresses, if it's for Testing (demo) Leave it blank. But if it's for Production, Restrict to trusted IPs.

7. Allowed protocols, select HTTPS only: It Encrypts traffic; keeps your data secure in transit.

8. Click Generate SAS token and URL to finish!

G. Copy the Blob SAS URL, then paste it into a new browser tab or window. The image you uploaded should display. Leave this tab open for later use.

Step 6: Rotate Access Keys to Revoke SAS Access.
Once you’ve created a SAS token, anyone with that link can access the file for as long as the token is valid. But managing access is not just about granting permissions it’s also about being able to revoke them when needed.

To revoke a SAS token, you must invalidate it. The simplest way to do this is to rotate the access key used to sign the SAS.

A. Navigate to your Azure Portal home page, on the search bar, search for Storage Accounts and click on it.

B. Select the storage account (storageacct1demo1) you created earlier while setting up your environment for this exercise. You can click the storage account name it’s a clickable link to open it. (Tip: Make sure it’s associated with the resource group RG1.)

C. On the Storage Account page,

1. Expend the Security + Networking submenu,
2. Select Access Keys.
3. For the Key1, select Rotate Key
4. Read the warning message about regenerating the access key, and click Yes to acknowledge and proceed.

ROTATE ACCESS KEYS SUCCESSFULLY:

D. After you see the success message confirming the access key has been rotated, return to the browser tab or window where you tested the SAS token and refresh the page. You should now see an authentication failed error.

Wrapping Up

And that is it! In this walkthrough, I created a storage container and a file share, uploaded some data, set up a SAS token to control access, and even learned how to revoke that access by rotating your keys.

This hands-on practice shows how managing storage in Azure is about more than just storing files, it’s about keeping your data secure and knowing exactly who can get to it (and when).

If you found this helpful, feel free to follow, like, and drop a comment. I do love to hear your thoughts and what you’d like to see next!

Happy learning!